diff --git eclass/go-module.eclass eclass/go-module.eclass
index d5de5f60ccdf..b8a635d52de7 100644
--- eclass/go-module.eclass
+++ eclass/go-module.eclass
@@ -4,22 +4,46 @@
# @ECLASS: go-module.eclass
# @MAINTAINER:
# William Hubbs <[hidden email]>
+# @AUTHOR:
+# William Hubbs <[hidden email]>
+# Robin H. Johnson <[hidden email]>
# @SUPPORTED_EAPIS: 7
# @BLURB: basic eclass for building software written as go modules
# @DESCRIPTION:
-# This eclass provides basic settings and functions
-# needed by all software written in the go programming language that uses
-# go modules.
+# This eclass provides basic settings and functions needed by all software
+# written in the go programming language that uses go modules.
+#
+# You might know the software you are packaging uses modules because
+# it has files named go.sum and go.mod in its top-level source directory.
+# If it does not have these files, try use the golang-* eclasses FIRST!
+# There ARE legacy Golang packages that use external modules with none of
+# go.mod, go.sum, vendor/ that can use this eclass regardless.
+#
+# Guidelines for usage:
+# "go.mod" && "go.sum" && "vendor/":
+# - pre-vendored package. Do NOT set EGO_SUM or EGO_VENDOR.
+#
+# "go.mod" && "go.sum":
+# - Populate EGO_SUM with entries from go.sum
+# - Do NOT include any lines that contain <version>/go.mod
+#
+# "go.mod" only:
+# - Populate EGO_VENDOR
#
-# You will know the software you are packaging uses modules because
-# it will have files named go.sum and go.mod in its top-level source
-# directory. If it does not have these files, use the golang-* eclasses.
+# None of the above:
+# - Did you try golang-* eclasses first? Upstream has undeclared dependencies
+# (perhaps really old source). You can use either EGO_SUM or EGO_VENDOR.
+
#
-# If it has these files and a directory named vendor in its top-level
-# source directory, you only need to inherit the eclass since upstream
-# is vendoring the dependencies.
+# If it has these files AND a directory named "vendor" in its top-level source
+# directory, you only need to inherit the eclass since upstream has already
+# vendored the dependencies.
+
+# If it does not have a vendor directory, you should use the EGO_SUM
+# variable and the go-module_gosum_uris function as shown in the
+# example below to handle dependencies.
#
-# If it does not have a vendor directory, you should use the EGO_VENDOR
+# Alternatively, older versions of this eclass used the EGO_VENDOR
# variable and the go-module_vendor_uris function as shown in the
# example below to handle dependencies.
#
@@ -28,6 +52,21 @@
# dependencies. So please make sure it is accurate.
#
# @EXAMPLE:
+# @CODE
+#
+# inherit go-module
+#
+# EGO_SUM=(
+# "github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ="
+# "github.com/BurntSushi/toml v0.3.1/go.mod h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ="
+# )
+# S="${WORKDIR}/${MY_P}"
+# go-module_set_globals
+#
+# SRC_URI="https://github.com/example/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz
+# ${EGO_SUM_SRC_URI}"
+#
+# @CODE
#
# @CODE
#
@@ -35,7 +74,7 @@
#
# EGO_VENDOR=(
# "github.com/xenolf/lego 6cac0ea7d8b28c889f709ec7fa92e92b82f490dd"
-# "golang.org/x/crypto 453249f01cfeb54c3d549ddb75ff152ca243f9d8 github.com/golang/crypto"
+# "golang.org/x/crypto 453249f01cfeb54c3d549ddb75ff152ca243f9d8 github.com/golang/crypto"
# )
#
# SRC_URI="https://github.com/example/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz
@@ -64,10 +103,12 @@ export GO111MODULE=on
export GOCACHE="${T}/go-build"

# The following go flags should be used for all builds.
-# -mod=vendor stopps downloading of dependencies from the internet.
# -v prints the names of packages as they are compiled
# -x prints commands as they are executed
-export GOFLAGS="-mod=vendor -v -x"
+# -mod=vendor use the vendor directory instead of downloading dependencies
+# -mod=readonly do not update go.mod/go.sum but fail if updates are needed
+export GOFLAGS="-v -x -mod=readonly"
+[[ ${#EGO_VENDOR[@]} -gt 0 ]] && GOFLAGS+=" -mod=vendor"

# Do not complain about CFLAGS etc since go projects do not use them.
QA_FLAGS_IGNORED='.*'
@@ -75,7 +116,23 @@ QA_FLAGS_IGNORED='.*'
# Go packages should not be stripped with strip(1).
RESTRICT="strip"

-EXPORT_FUNCTIONS src_unpack pkg_postinst
+EXPORT_FUNCTIONS src_unpack src_prepare pkg_postinst
+
+# @ECLASS-VARIABLE: EGO_SUM
+# @DESCRIPTION:
+# This variable duplicates the go.sum content from inside the target package.
+# Entries of the form <version>/go.mod should be excluded.
+#
+# <module> <version> <hash>
+#
+# The format is described upstream here:
+# https://tip.golang.org/cmd/go/#hdr-Module_authentication_using_go_sum+#
+# <hash> is the Hash1 structure used by upstream Go
+# Note that Hash1 is MORE stable than Gentoo distfile hashing, and upstream
+# warns that it's conceptually possible for the Hash1 value to remain stable
+# while the upstream zipfiles change. E.g. it does NOT capture mtime changes in
+# files within a zipfile.

Re: [PATCH 3/3] app-admin/kube-bench: convert to go-module go.sum

On Sun, Feb 09, 2020 at 08:38:23PM +0000, Michael 'veremitz' Everitt wrote:
> On 09/02/20 20:31, Robin H. Johnson wrote:
...
> Hrm, pardon my ignorance, but do 'we' really need to review 232 lines of
> Manifest?!
No, but I wanted to show scale of Manifest that is going to be present
in covering all the dependencies for static-build languages like Golang.

Every entry in EGO_SUM is 2-3 files that need to be fetched (two tiny
files, one a bit larger [zip of source]).

Re: [PATCH 3/3] app-admin/kube-bench: convert to go-module go.sum

On 09/02/20 20:47, Robin H. Johnson wrote:

> On Sun, Feb 09, 2020 at 08:38:23PM +0000, Michael 'veremitz' Everitt wrote:
>> On 09/02/20 20:31, Robin H. Johnson wrote:
> ...
>> Hrm, pardon my ignorance, but do 'we' really need to review 232 lines of
>> Manifest?!
> No, but I wanted to show scale of Manifest that is going to be present
> in covering all the dependencies for static-build languages like Golang.
>
> Every entry in EGO_SUM is 2-3 files that need to be fetched (two tiny
> files, one a bit larger [zip of source]).
>
> app-admin/kube-bench has _77_ dependencies, each with 3 distfiles.
>

Re: [PATCH 3/3] app-admin/kube-bench: convert to go-module go.sum

On 09/02/20 20:55, Michał Górny wrote:
> On Sun, 2020-02-09 at 20:38 +0000, Michael 'veremitz' Everitt wrote:
>> Hrm, pardon my ignorance, but do 'we' really need to review 232 lines of
>> Manifest?!
> Pardon mine but do 'we' really need to read your useless comments
> everywhere, all the time and just get irritated for no benefit to
> Gentoo?
>
There's a really simple method to deal with that .. would you like me to
explain, or would that be 'useless' too?

Re: [PATCH 3/3] app-admin/kube-bench: convert to go-module go.sum

On 09/02/20 20:57, Michael 'veremitz' Everitt wrote:

> On 09/02/20 20:55, Michał Górny wrote:
>> On Sun, 2020-02-09 at 20:38 +0000, Michael 'veremitz' Everitt wrote:
>>> Hrm, pardon my ignorance, but do 'we' really need to review 232 lines of
>>> Manifest?!
>> Pardon mine but do 'we' really need to read your useless comments
>> everywhere, all the time and just get irritated for no benefit to
>> Gentoo?
>>
> There's a really simple method to deal with that .. would you like me to
> explain, or would that be 'useless' too?
>

For the benefit of other readers, it's clear Michal is incapable of

implementing the measures I am thinking of .. or simply isn't aware of what
they might be?
which is quite unusual for a developer of his supposed capability ...

Re: [PATCH 3/3] app-admin/kube-bench: convert to go-module go.sum

On 09/02/20 20:59, Michael 'veremitz' Everitt wrote:

> On 09/02/20 20:57, Michael 'veremitz' Everitt wrote:
>> On 09/02/20 20:55, Michał Górny wrote:
>>> On Sun, 2020-02-09 at 20:38 +0000, Michael 'veremitz' Everitt wrote:
>>>> Hrm, pardon my ignorance, but do 'we' really need to review 232 lines of
>>>> Manifest?!
>>> Pardon mine but do 'we' really need to read your useless comments
>>> everywhere, all the time and just get irritated for no benefit to
>>> Gentoo?
>>>
>> There's a really simple method to deal with that .. would you like me to
>> explain, or would that be 'useless' too?
>>
> For the benefit of other readers, it's clear Michal is incapable of
> implementing the measures I am thinking of .. or simply isn't aware of what
> they might be?
> which is quite unusual for a developer of his supposed capability ...
>

For the avoidance of doubt, whilst my ban from this list is enacted, here

is the list of "Unacceptable behaviour" from the Gentoo Code of Conduct[1].

"Deciding to suspend or ban someone isn't a decision to be taken lightly,
but sometimes it has to happen. Below is a list of things that could result
in disciplinary action. * Flaming and trolling. What is trolling? You are
deemed to be trolling if you make comments intended to provoke an angry
response from others. What is flaming? Flaming is the act of sending or
posting messages that are deliberately hostile and insulting.
* Posting/participating only to incite drama or negativity rather than to
tactfully share information.
* Being judgmental, mean-spirited or insulting. It is possible to
respectfully challenge someone in a way that empowers without being
judgemental.
* Constantly purveying misinformation despite repeated warnings."

It is left as an exercise for the reader, who is transgressing here...

Re: [PATCH 3/3] app-admin/kube-bench: convert to go-module go.sum

>
> On 09/02/20 20:59, Michael 'veremitz' Everitt wrote:
> > On 09/02/20 20:57, Michael 'veremitz' Everitt wrote:
> >> On 09/02/20 20:55, Michał Górny wrote:
> >>> On Sun, 2020-02-09 at 20:38 +0000, Michael 'veremitz' Everitt wrote:
> >>>> Hrm, pardon my ignorance, but do 'we' really need to review 232 lines of
> >>>> Manifest?!
> >>> Pardon mine but do 'we' really need to read your useless comments
> >>> everywhere, all the time and just get irritated for no benefit to
> >>> Gentoo?
> >>>
> >> There's a really simple method to deal with that .. would you like me to
> >> explain, or would that be 'useless' too?
> >>
> > For the benefit of other readers, it's clear Michal is incapable of
> > implementing the measures I am thinking of .. or simply isn't aware of what
> > they might be?
> > which is quite unusual for a developer of his supposed capability ...
> >
> For the avoidance of doubt, whilst my ban from this list is enacted, here
> is the list of "Unacceptable behaviour" from the Gentoo Code of Conduct[1].
>
> "Deciding to suspend or ban someone isn't a decision to be taken lightly,
> but sometimes it has to happen. Below is a list of things that could result
> in disciplinary action. * Flaming and trolling. What is trolling? You are
> deemed to be trolling if you make comments intended to provoke an angry
> response from others. What is flaming? Flaming is the act of sending or
> posting messages that are deliberately hostile and insulting.
> * Posting/participating only to incite drama or negativity rather than to
> tactfully share information.
> * Being judgmental, mean-spirited or insulting. It is possible to
> respectfully challenge someone in a way that empowers without being
> judgemental.
> * Constantly purveying misinformation despite repeated warnings."
>
> It is left as an exercise for the reader, who is transgressing here...
>

"Technically I'm not violating the rules" is the weakest argument.

Can you just please save everyone the headache of litigating this and
act a little more professional and a little less silly on the mailing
list? (And on IRC if I'm asking)

Here's a good approximation to determine whether your mail is worth
sending: before you press send, ask yourself if the person you're
replying to gains anything by reading your reply. If the answer is on
the range "unlikely" to "no", then just don't send the reply.

Re: [PATCH 1/3] eclass/go-module: add support for building based on go.sum

On Sun, Feb 09, 2020 at 04:11:28PM -0600, William Hubbs wrote:
> On Sun, Feb 09, 2020 at 12:31:19PM -0800, Robin H. Johnson wrote:
> > +# "go.mod" only:
> > +# - Populate EGO_VENDOR
> go.mod without go.sum can mean that there are no external dependencies, so there
> shouldn't be a reason to populate EGO_VENDOR in this case.
...
> The way I see this going is to transition to EGO_SUM and
> drop EGO_VENDOR. unless I'm missing something.
I know another corner case for legacy stuff, but let's drop entirely and
encourage migration to EGO_SUM.

Re: [PATCH 3/3] app-admin/kube-bench: convert to go-module go.sum

> On 09/02/20 20:59, Michael 'veremitz' Everitt wrote:
>> On 09/02/20 20:57, Michael 'veremitz' Everitt wrote:
>>> On 09/02/20 20:55, Michał Górny wrote:
>>>> On Sun, 2020-02-09 at 20:38 +0000, Michael 'veremitz' Everitt wrote:
>>>>> Hrm, pardon my ignorance, but do 'we' really need to review 232 lines of
>>>>> Manifest?!
>>>> Pardon mine but do 'we' really need to read your useless comments
>>>> everywhere, all the time and just get irritated for no benefit to
>>>> Gentoo?
>>>>
>>> There's a really simple method to deal with that .. would you like me to
>>> explain, or would that be 'useless' too?
>>>
>> For the benefit of other readers, it's clear Michal is incapable of
>> implementing the measures I am thinking of .. or simply isn't aware of what
>> they might be?
>> which is quite unusual for a developer of his supposed capability ...
>>
> For the avoidance of doubt, whilst my ban from this list is enacted, here
> is the list of "Unacceptable behaviour" from the Gentoo Code of Conduct[1].
>
> "Deciding to suspend or ban someone isn't a decision to be taken lightly,
> but sometimes it has to happen. Below is a list of things that could result
> in disciplinary action. * Flaming and trolling. What is trolling? You are
> deemed to be trolling if you make comments intended to provoke an angry
> response from others. What is flaming? Flaming is the act of sending or
> posting messages that are deliberately hostile and insulting.
> * Posting/participating only to incite drama or negativity rather than to
> tactfully share information.
> * Being judgmental, mean-spirited or insulting. It is possible to
> respectfully challenge someone in a way that empowers without being
> judgemental.
> * Constantly purveying misinformation despite repeated warnings."
>
> It is left as an exercise for the reader, who is transgressing here...
>

My final posting to this list (for posting this I am insuring my permanent

banning) here is the correspondence from the "ComRel" or Community
Relations bug (currently private) in the subject of 'policing' the mailing
lists:
------
David Seifert gentoo-dev 2020-02-10 15:18:53 GMT

M. J. Everitt (veremitz on IRC) has used the dev ML to post general chatter
which contributes zero to the discussion at hand and just lowers the
signal-to-noise ratio. Previously, when the ML had a whitelist instead of a
blacklist, I requested his removal already (bug 664688), and I'd like
comrel to vote on blacklisting him posting to the gentoo-dev ML.